FAQ
Short answers to the questions that come up most often.
How is this different from .env?
With .env the secret values live in a file on disk and in version-control-adjacent places. With Vaultlier, your repo holds only metadata — which keys exist and their types — while the values stay encrypted in the portal and are resolved in memory at runtime. You also get typing, per-environment values, versioned history, and role-scoped access.
Is the project id a secret?
No. The project id (prj_…) is a public identifier and is safe to commit. Reading or writing a project always additionally requires a valid API key, so the id alone grants nothing.
Does it work offline?
Schema operations degrade gracefully: pull without an API key regenerates the typed client from local metadata. Resolving secret values at runtime requires network access to the portal.
Can I init without an API key?
Yes. Press Enter at the API-key prompt during init. You can add a key later:
vaultlier config set apiKey=vlt_live_...
# or set it in the environment
export VAULTLIER_API_KEY=vlt_live_...Can I self-host the portal?
Yes. Point the CLI and SDK at your deployment with --api-url / VAULTLIER_API_URL (CLI) or the baseUrl client option (SDK). See Installation.
How do I rotate an API key?
Create a new key in the portal, deploy it via VAULTLIER_API_KEY, confirm it works with vaultlier config verify, then revoke the old key. Revocation is immediate. More in API Keys.